TABLE 1

DATA	SOU RCE	TIME	DESCRIPTION

ACL_02	Computer_01	02:45:00	Attempt to Add
			permission for
			User_01 to access
			File_05
User 5 mail	Computer_05	02:40:00	Simultaneous
Database			session opened from
			Computer_04
ACL_02	Computer_01	02:39:00	Add permission for
			User_01 to access
			File_04
File_01	Computer_03	02:37:00	Read File_01
ACL_02	Computer_02	02:34:00	Delete permission
			for User_02 to
			access File_01

As shown in Table 1, each entry in the log file may indicate the particular data attempted to be accessed, in addition, with respect to each entry, an identifier of a computer that initiated the attempt may be recorded, along with a time of the attempt. The description of each log file entry may indicate the type of access attempted, as also shown. While not shown, it should be noted that a flag, or any other desired indicator, may be associated with each entry in the log file for indicating whether access to the data associated with the attempt was prevented, allowed, successful, etc., and optionally any actions taken in response thereto (e.g. notifications, etc.).

Furthermore, as shown inoperation408, the information associated with the attempt to access the data is heuristically analyzed. For example, the heuristic analysis may include an analysis of the information with respect to any other information in the log file associated with another (e.g. previous) attempt to access the data. In this way, characteristics, patterns, etc. associated with attempts to access the data may be identified utilizing the heuristic analysis.

Additionally, it is determined whether the information is suspicious, based on the heuristic analysis. Notedecision410. Such determination may be made based on predefined thresholds compared to results of the heuristic, analysis, just by way of example. Still yet, a determination that the information is suspicious may indicate that the attempt to access the data is suspicious, that the data is at least potentially being subjected to data leakage, etc.

If it is determined that the information is not suspicious, further attempts to access data on the server are monitored (operation402). Of course, however, attempts to access data on the server, as inoperation402, may be continuously monitored. In this way, attempts to access data on the server may be monitored during a heuristic analysis of any identified attempts.

If however, it is determined that the information is suspicious, action is taken, as shown inoperation412. As an option, the action taken may be based on the type of access attempted. For example, if the access includes reading the data or opening the data, the action may include communicating a notification e.g. alert, etc.) to an administrator, user, etc. In another example, if the access includes modifying the data, transmitting the data, deleting the data, etc., the action may include preventing the access or the attempted use/manipulation of the data.

As another option, the action taken may be based on the data attempted to be accessed. In this way, particular types of data may each be associated with different actions e.g. based on user definitions, etc.). For example, if the access is associated with an ACL, the action may include preventing the access. As another example, if the access is associated with an email message, the action may include communicating a notification.

As yet another option, the action taken may be based on the characteristics, patterns, etc. identified by the heuristic analysis, in one embodiment, if the heuristic analysis determines that a predetermined number of modifications have been attempted to modify an ACL (e.g. within a predefined time period, etc.), the action may include preventing an access to the ACL. In another embodiment, if the heuristic analysis determines that identification data utilized in the attempt to access the data has previously been utilized by a different user, the action may include communicating a notification to the different user, an administrator, etc.

Of course, it should be noted that the action taken may be selected in any desired manner. Further, the action may include any desired action capable of being taken in response to a determination that the information is suspicious. To this end, data leakage may be prevented by taking action when information associated with an attempt to access the data is determined to be suspicious.

in one exemplary embodiment, an attempt to modify an ACL is identified. The modification may include changing permissions designated by the ACL, for example. In response to identification of the attempt, information associated with such attempt is recorded. As an option, the information may include a source (e.g. computer, user, etc.) that initiated the attempt.

The recorded information is further heuristically analyzed. For example, the recorded information may be analyzed in view of other recorded information associated with other attempts to modify the ACL. Accordingly, a pattern of attempts to modify the ACL (e.g. by a particular computer, within a predetermined time period, etc.) may be identified. In response to an indication that the information is suspicious (based on the heuristic analysis), an action may be taken to prevent the attempted modification to the ACL. In this way, in response to a determination that information associated with an attempt to modify an ACL is suspicious, such access may be prevented.

In another exemplary embodiment, an attempt to log on to a server utilizing identification data is identified. In response, information associated with the attempt is recorded. Such information may identify a source of the attempt, the identification data, etc.

Further, the information is heuristically analyzed. Such heuristic analysis may include identifying previously recorded information associated with the identification data. In addition, the heuristic analysis may include determining whether the identification data was associated with different sources, based on the identification of the previously recorded information. For example, information indicating that different sources utilized the identification data may signify that the information associated with the attempt to log on to the server is suspicious. Optionally, such signification may be based on whether the identification data was used intermittently between a pair of, or more, different sources.

In this way, the heuristic analysis may be utilized for identifying at least potential data leakage by way of possible unauthorized use of identification data. In response to such situation, use of the identification data may be prevented (e.g. for all sources, for sources that do not include a source to which the identification data is registered, etc.). As other option, in response to the identification of potential data leakage, a notification may be communicated to a user, computer, etc. registered to the identification data.

In yet another exemplary embodiment, an attempt to access data on a server identification data is identified. In response, information associated with the attempt is recorded. For example, such information may include a source of the attempt, the identification data utilized, etc. Thus, the information may indicate a location of the identification data, based on the identified source.

Identification of any differences may optionally indicate that the information is suspicious. For example, differences in sources utilizing the same identification data may indicate unauthorized use of the identification data by sources (e.g. via theft of such identification data etc.) for illegitimately accessing data such as potentially confidential data, associated therewith. Of course, this may not be deemed unauthorized use all of the time, as some users access the data from two or more different locations. Accordingly, the attempt to access the data may be prevented for avoiding potential leakage of the data. To this end, in situations where identification data, such as an identification file uniquely registered to a user, is compromised, access to data utilizing the identification data may be prevented.

In still yet another exemplary embodiment, an attempt to access data is identified. In response, information associated with the attempt is recorded. In the context of the present exemplary embodiment, such information may include a source of the attempt.

Moreover, the stored information is heuristically analyzed. Such heuristic analysis may include determining whether any previously recorded information is associated with an access attempt with respect to the data. Optionally, only information recorded within a predetermined amount of time previous to the identified attempt may be identified. As another option, only information which indicates that the data is still being accessed based on a previous attempt may be identified.

In this way, it may be determined whether the data associated with the access attempt is currently being accessed by another source. In response to such a scenario, the identified attempt to access the data may be prevented. In this way, access to the same data by different sources simultaneously may be prevented. As another option, access to such data may be allowed simultaneously, but notifications may be communicated to such sources.

While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.